Thursday, December 10, 2009

An interview with Russell May of 4N6 Investigation is now online at http://www.forensicfocus.com/russell-may-interview-101209. Russell is a well known figure in the computer forensics world with a reputation for providing some of the best training courses available. Enjoy the interview!

Friday, December 04, 2009

There is a PhD position available at the Centre for Forensic Computing, Cranfield University, UK. The broad area for the research is the investigation of the digital evidence left on hard disks by users who have communicated via the Internet.

Thursday, November 12, 2009

I've updated the first post of this thread with everything we have so far (in something like alphabetical order). Thanks again to everyone who's contributed and please continue sending in details of anywhere not already listed.

Wednesday, November 11, 2009

"So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community...So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like The Register or Slashdot, and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool..."

Friday, November 06, 2009

As many of you know I've recently made a start on building the new education section at Forensic Focus (hopefully bringing it online later this month) with the aim of listing every computer forensics university and college course worldwide.

I'd like to ask for your help in making sure I don't miss out any relevant institutions. The following is a list of the places currently on my master list - if you know of any place not listed below (and I'm sure there are many of them) I'd be grateful if you could either post a reply to this thread or email me with the details on admin @ forensicfocus.com. If you're able to provide a contact email address for a member of the teaching staff that would be great too (obviously if you yourself are a member of staff please don't hesitate to get in touch!)

OK, here's what I have so far:

UK

University of BedfordshireBirmingham City University (contact person details required)University of BradfordCoventry UniversityCranfield UniversityDe Montfort University (contact person details required)University of DerbyUniversity of East London (contact person details required)Edinburgh Napier UniversityUniversity of GlamorganUniversity of Greenwich (contact person details required)University of HuddersfieldKingston University (contact person details required)University of Central LancashireLeeds Metropolitan UniversityLincolns College London (contact person details required)Liverpool John Moores University (contact person details required)London Metropolitan UniversityMiddlesex UniversityNorthumbria UniversityThe Open UniversityUniversity of PortsmouthRoyal Holloway, University of LondonStaffordshire UniversityUniversity of StrathclydeUniversity of SunderlandTeesside University (contact person details required)University of the West of EnglandUniversity of Westminster

Ireland

University College DublinDublin City UniversityWaterford Institute of Technology

US & Canada

Anne Arundel Community CollegeBCIT Centre for Forensics and Security Technology StudiesBloomsburg University of PennsylvaniaButler County Community CollegeCalifornia State University, FullertonChamplain CollegeDeVry University (contact person details required)Edmonds Community CollegeUniversity of Central Florida (contact person details required)The George Washington UniversityHighline Community College (contact person details required)Johns Hopkins UniversityJohn Jay College of Criminal JusticeKaplan University - Hagerstown Campus (contact person details required)Kennesaw State UniversityCollege of Lake CountyMissouri Southern State UniversityCentral Piedmont Community CollegePittsburgh Technical InstitutePurdue University Cyber Forensics LabUniversity of Rhode Island (USA)Rich Mountain Community CollegeSam Houston State UniversityStark State College of TechnologyStevenson University (contact person details required)University of Texas at San AntonioTompkins Cortland Community College (contact person details required)Walsh CollegeWashtenaw Community College (contact person details required)Wilmington University (contact person details required)

Other

University of Cape Town (UCT)University of MadrasUniversity of MilanAsian School of Cyber Laws (contact person details required)

If you can help by adding to this list or providing contact details I'd be very grateful - many thanks in advance!

Thursday, November 05, 2009

I'm in the middle of compiling the new education section for the site and am trying to contact as many academic institutions as possible. However, I'm having some difficulty contacting staff members at the following universities and colleges:

UK

Birmingham City UniversityDe Montfort UniversityUniversity of GreenwichUniversity of East LondonLeeds Metropolitan UniversityLincolns College LondonRoyal Holloway, University of LondonKingston UniversityLiverpool John Moores UniversityTeesside University

Ireland

Waterford Institute of TechnologyDublin City University

US

University of Central FloridaDeVry UniversityHighline Community CollegeKaplan University - Hagerstown CampusStevenson UniversityTompkins Cortland Community CollegeWalsh CollegeWashtenaw Community CollegeWilmington University

Italy

University of Milan

India

University of Madras

If you have an email address for a member of the computer forensics teaching staff - preferably the course leader - at any of the above I'd be grateful if you could mail me with it (if you're comfortable doing so) or alternatively ask the staff member to contact me directly on admin @ forensicfocus.com if you think they might want their institution to appear in the new section (there's no fee for inclusion, I just want to make sure the details are accurate.)

Wednesday, October 14, 2009

"Folks, this is an opinion piece, and it's going to be a controversial one. Some of you started composing a scathing rebuttal to it as soon as you read the title. Normally I restrict myself to what I hope are useful technical tidbits, but like most of you out there, I'm a forensic practitioner, and I have little patience for time sinks which provide no benefit (no I'm not including the training in that category, save your flames for the end). I've always begrudged the time commitment (over and above what's required to actually take the training and learn the included material) required to attain certifications, despite which I'm in possession of five, soon to be six, not counting my master's degree, so I like to think I speak from some degree of experience..."

Thursday, September 24, 2009

Jim Gordon: I left school in Dundee, Scotland when I was 17 years old and joined the Royal Air Force Police. I served in the RAF Police for just over 15 years, the majority of which was spent in the Special Investigation Service. Like most service personnel I served all over the place including three years in Cyprus, also visiting Belize in Central America, the Falkland Islands and finishing off with three years at the Joint Headquarters at Rheindahlen near Monchengladbach in Germany.

On leaving the RAF I joined Merseyside Police where I served in Liverpool city centre. I ended up on a Pro Active vehicle crime unit. After three great years I transferred to West Mercia Police where I was initially stationed at Kidderminster to the South West of Birmingham.

West Mercia is the fourth largest geographic police area in England and Wales. It covers the Welsh border counties of Herefordshire, Worcestershire and Shropshire. While West Mercia is predominantly rural, it also contains some densely populated urban areas and many market towns. As you can imagine it was quite a culture shock compared to Liverpool City centre.

After a short period in uniform I spent a number of years on the Pro Active CID, mainly employed in drug investigations at a local level, before successfully applying to become a Detective in the Criminal Investigation Department. In 2001 I successfully applied to join the Hi Tech Crime Unit. As they say the rest is history.

Forensic Focus: Why did you decide to work in the field of computer crime investigation?

Jim Gordon: I was always interested in computers from my days of being the proud owner of a ZX Spectrum and later when I seriously upgraded to an Olivetti 486. Whilst in the CID at Kidderminster I successfully completed a project management course and later during 2000 had the opportunity of going on an attachment to help the Force introduce the National Intelligence Model. Whilst part of the project team I first came into contact with the Hi Tech Crime Unit that at that time consisted of one member of staff. During 2001 the Hi Tech Crime Unit expanded and I successfully applied for one of the roles within the unit. As you can see from my background I’ve always worked in an investigatory role which is something that I enjoy and so computer forensics allows me to continue this, learn new things everyday and support the investigation teams...

Wednesday, September 23, 2009

I'm delighted to announce the introduction of the Forensic Focus Graduate Recruitment program. Headed by respected computer forensics recruitment specialist David Sullivan and supported by technical experts in the fields of both computer and mobile forensics, this program aims to match graduates with suitable employers throughout the US, Canada and the UK.

"Helix 3 Enterprise (H3E) is e-fense’s flagship investigation suite pitched at a similar level as EnCase Enterprise or Access Data Enterprise. It’s aimed at organisations which need to be able to carry out incident response, forensics and e-discovery functions over networks. H3E facilitates centralised incident response, imaging of drives and volatile data and also enables scans and searches of a user’s internet history and documents on any computer which has had the H3E Agent pre-installed on it..."

Monday, August 24, 2009

For those who don't follow the forums, there's an interesting discussion ongoing here about hard disk sterilization (if, indeed, that's the term of choice). I'd like to encourage further comments and viewpoints on this topic so please don't hesitate to have your say!

Thursday, July 30, 2009

[Sean is a Forensic Focus forum regular and posts under the username "seanmcl"]Forensic Focus: Sean, can you tell us something about your background?

Sean McLinden: My first exposure to computers was as an undergraduate when I saw an episode of the PBS series Nova about artificial intelligence (AI). Since I was headed to the University of Pittsburgh to begin a graduate study in Medicine I hooked up with the team of Jack D. Myers, MD, and Harry E. Pople, PhD., who were researching the development of programs which could mimic the actions of human diagnosticians. Their laboratory was kind of a skunkworks which not only explored artificial intelligence, but also computer networking, hardware design and operating systems. Everyone who worked there was expected to be well versed in computer design and applications and innovative and there were a lot of opportunities for creativity and independent action. That model became my model for building collaborative teams in which people are encouraged to think independently, question conventional wisdom and be self-motivating.

Following completion of medical training I was recruited to become the head of MIS for what would become a university affiliated teaching hospital. Whereas in the research lab, sharing was the norm, in a patient care setting, the security of the information is paramount. This experience also taught me how production IT operations work, including the human element, an understanding of which is critical to cost-effective enterprise forensics.

From there, I chaired a university graduate program in IT management and then directed a clinical outcomes research group before starting Outcome Technology Associates in 1998.

Forensic Focus: What type of work is Outcome Technology Associates, Inc. engaged in? What does your role as president involve?

Sean McLinden: Outcome Technology Associates began as an organization that developed software and refined practices for the health care industry. Specifically, we did data analysis for patient clinical trials and helped to design systems for the sharing of patient information via data networks. Because our work involved a high degree of confidentiality, we were retained by law firms which had the need not only for data capture and analysis, but also the ability to be discrete. At that time, computer forensics was unheard of and so, "experts" were drawn from the academic and business units where IT practices were the area of specialization.

Our first cases involved simple data recovery, preservation and analysis for use in civil and criminal legal proceedings. The paper record was still the standard for courtroom evidence and most computer forensics involved the detection of traces of the paper record on computers. In 1995, we were consulted by attorneys for the plaintiff on a very large case involving tens of thousands of electronic documents, including e-mail, which was thought to contain evidence of an intentional breach of contract by the defendant. The outcome of the case was a $30 million judgment in favor of our client, and that was the start of our full-time business.

Today we are involved in any and all types of civil and criminal investigations in which the preparation, storage or transmission of information in electronic format is involved. I can say, in all honesty, that each of our cases has had one or more features which is/are unique among all of our clients, so it would be hard to pin us down as specializing in one form of computer forensics...

Thursday, July 23, 2009

Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.

The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.

The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units...

Thursday, July 16, 2009

From the forums...ForensicMania asks: "Here is a quick question. I cloned hard disk using bit-by-bit copy and kept this hard disk without power in evidence store. I was wondering is there any limitation on data storage life-time on that hard disk if kept without providing power to it. e.g., will the data be there after five years?"

Logg replies: "You'll want to store your hard drives each in sealed, anti-static bags in a climate-controlled (arid) room. The baggies run under a dollar a piece at Fry's (or free if you keep them when you purchase hardware for yourself).

Power is your hard drive's enemy, so as long as you maintain low humidity, mild/moderate temperatures, and a generally dust-free environment, you'll be fine.

A flimsy cd that's damaged simply by prolonged exposure to sunlight can otherwise last to 100 years in storage (or so they say). An immobilized hard drive (and a backup drive if costs permit!) will last you the necessary 5 years years ... with a few decades to spare..."

Monday, July 06, 2009

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. And if you cannot find the items, or get them to the destination, it doesn't matter how great your tools are.

This kit, and the thoughts and processes behind it, attempt to address concerns I've encountered while doing collections all over the world. That said, it isn't perfect, even for my own needs. Treat this as a framework for building your own kit and if you can improve on this, please let me know how so I can improve my own processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst...

Cyberstalking is the new urban terror – the message rang home loud and clear at the Digital Safety Conference in London.

For although, in Cyberspace, no-one hears you scream, increasing numbers of people are getting off on imagining it.

The evils of instant communication – texting, live chat, social networking – were laid out in lurid detail before delegates meeting in a brick-lined space known as The Brewery, near the city’s Barbican.

Tales of horror: physical threats and psychological manipulation, poured out. The family pursued relentlessly via emails, bulletin board postings and websites dedicated to damaging their names for more than five years. The teenager who suffered Post Traumatic Stress Syndrome following a campaign of anonymous texts. The Information Age exposed in all its gory.

This, said former Scotland Yard detective, Hamish Brown, was the intimidation that kills lives, the silent terror that dogs every waking moment for harassed victims. Who stalks and why is the subject of ongoing research but the trend is that more men stalk women than the other way around. The style of mental torture is similar to that shown in cases of domestic violence, Brown asserted, and the perpetrator often has no previous convictions.

As the first police officer to charge an offender with Grievous Bodily Harm of the mind, Brown passionately believes that victims of cyber violence should be taken more seriously.

“It’s not right that you should have to be punched on the nose for something to happen,” he commented, and asked for a campaign to educate the public on the issue.

Two alarming presentations based on personal experience followed. Graham Brown-Martin described how he, his wife and small child ran from Jamaica to London after enduring a series of death threats and vicious slanders posted on the Internet. The virtual bullying followed them and has continued for five years. Despite continued threats, including an invitation to all-comers to murder the family published with a map of their whereabouts, the authorities have been unable to help. Differences in international law were quoted as the main difficulty

Tuesday, June 30, 2009

Forensic Focus is pleased to support The National Society for the Prevention of Cruelty to Children (NSPCC), a charity which will be familiar to many UK members, especially those involved with child protection issues. The NSPCC's annual HACK (Hike Against Cruelty to Kids) is now in its fifth year and has so far raised over £250,000. After four successful years in the north this summer there are five 25 mile HACKS taking place in some of the most stunning locations across the UK: Yorkshire 5 September, Northern Ireland 5 September, Wales 12 September and Devon 27 September. And just in case you need any further motivation, there's a Forensic Focus T-Shirt for everyone who completes the hike - what more could you ask for?

Thursday, June 18, 2009

"Hi everyone and welcome to the new forum covering Live and Network forensics.

My name is Nick Furneaux from CSITech and if you don't know me or have never sat in a classroom with me, then hello! Jamie has kindly asked if I would assist in the moderation of this forum and I was delighted to accept. If you are truly bored you can waste 90 seconds of your life and find out more about me on my poorly used blog at nickfurneaux.blogspot.com.

In the past 3 years or so the subject of so called live forensics has become an increasingly discussed topic and most investigators now believe that a live response to a running machine constitutes best evidence, often ahead of pulling the plug and continuing with a traditional disk image.

Whereas disk imaging has a certain accepted methodology and protocol associated with it, live response still has the feeling of the Wild West about it and as much work as possible needs to be done by the community to work towards a generally accepted method and process. Hopefully this forum, broken out from the melee of other topics will assist with that process.

This, of course, is not to ignore the vital area of network investigations that tends not to get such a 'following' in respect to forum postings, hopefully that will change.

We are fortunate to have some leading lights in these subjects contributing to Forensic Focus (you know who you are) and we welcome your continued positive contribution and input.

Wednesday, June 17, 2009

We now have a new forum dedicated to live and network forensics (e.g. memory analysis, running process enumeration, network traffic analysis etc.) If you want to discuss something related to volatile data collection before or without pulling the plug then this is the right place.

That's only half the good news. I'm also delighted to announce that Nick Furneaux has agreed to be the moderator of this new forum which is a huge coup for all Forensic Focus members (for a recent interview with Nick, click here.)

Nick joins Greg Smith (our mobile forensics forum moderator) as another highly regarded and influential name in the forensics world willing to share their knowledge and experience in these forums - my thanks to them both!

There's a link within the interview to a documentary about the event which inspired Graham to put this conference together, and while there's nothing "technical" in it I think it's worth viewing for the perspective it gives of someone who's been a victim of computer crime (surprisingly, perhaps, something we don't discuss very often at Forensic Focus).

So, after five weeks Sonnex and Farmer have been found guilty of the appalling murders of Gabriel Ferez and Laurent Bonomo. I was actually at the Old Bailey on the first day of the trial (in the public gallery) and had hoped to return at a later date to see if there was any mobile forensics expert witness testimony - as seemed likely given the use of mobile phones on the date in question - but unfortunately my plans changed and I didn't have the chance. If anyone knows what part this evidence played in the trial please feel free to email me.

Friday, May 29, 2009

Received a note from Robert-Jan Mora this morning that the second Advanced Forensic Sessions from Hoffmann BV in the Netherlands will be held 16th – 20th November 2009. The Sessions are limited to 25 participants but the previous edition was completely booked so early registration is recommended (click here for full details).

Robert-Jan and his colleague Joachim Metz, together with others at Hoffmann, are some of the best in the business and I wish them every success with these new sessions.

I'd been looking forward to hearing Charlie McMurdie speak in person for some time, having published snippets from a number of her talks over the past few years. Charlie gave a good overview of current strategy intended to meet the challenges of e-Crime in the UK (forces acting independently of each other, lack of frontline knowledge/training, etc.) and introduced the Police Central e-Crime Unit, together with a sneak peek at their website which is yet to go live. Of most interest was her call (which I understand has been made previously - thanks Si!) for more dialogue and sharing of resources between police and industry in the UK. I managed to grab a few seconds of her time at the end of the talk to pass on my business card and quickly suggest an interview for Forensic Focus - something I intend to follow up on shortly. There's a lot of interest amongst private sector practitioners (both at the company and individual level) in working with the police and I'd like to help Charlie get the word out there about the possibilities for greater interaction.

Security At The Crossroads: Where Are We Headed?Dr Whitfield Diffie

I expect most people reading this will have heard Whit Diffie speak before but I hadn't and I was keen not to miss him (apologies to all those I pushed out of my way while running to the seminar room!) Whit gave a potted history of cryptography starting a few hundred years ago but unfortunately it wasn't quite potted enough - by the time we got to the present day he'd run out of time and didn't really have a chance to explore the security "crossroads" we're at today in any great detail. That was certainly a shame but he's such an entertaining speaker that nobody seemed to mind too much - at least not those lining up to have their photo taken with him afterwards :-)

Phil Zimmermann made the brave choice to come to the UK and tell the local audience that British society is sleepwalking into a kind of Orwellian police state, with surveillance increasing at an alarming rate. His suggestion was that the Brits need to wake up and mobilise against this insidious evil. By and large this message was met with some approval - I particularly liked the chap who was outraged that our conference badges were being scanned before every seminar - and he also talked about his Zfone project towards the end of the session. If anyone has the chance to hear Phil speak in future, I highly recommend it - he gave us a lot to think about.

This was, without doubt, the most entertaining of the seminar sessions with the topic up for discussion being "What bit of computer security would you get rid of?" (or words to that effect). I really should have made some notes because I've forgotten most of the points raised - including some good one-liners from Whit - but what sticks in my mind most was Dan Kaminsky's thoughts on DNSSEC and its potential for securing our network infrastructure (unfortunately I didn't attend his earlier talk on just this topic but, just to clarify, he was arguing that DNSSEC has real potential, not arguing that we should get rid of it). One of the points he brought up was the failure of PKI as currently implemented to really gain any kind of foothold over the years and I wondered how different things might have been for forensic investigators if encryption - especially for email - had become the norm.

Wednesday, April 29, 2009

If you're the type of person who enjoys the company of middle-aged men in suits then Infosecurity Europe should probably be near the top of your list of conferences to attend. I last visited the show about 10 years ago when it was held in Olympia (Kensington, London) but it has since moved to a larger venue at Earls Court.

Infosecurity is very much the corporate face of the computer security industry and anyone who's visited or worked on one of the exhibitor stands will be familiar with the commercial heart of the event. There is more to it than just vendors, though, namely a series of free to attend talks, seminars and round-table discussions. Unless you're a large customer looking to develop pre-sales contacts or you're interested in learning more about a particular product I suspect the seminars are what you're going to get the most out of at Infosecurity.

So, what about forensics? Is there anything of interest to the forensic investigator as opposed to the computer security professional? Well, leaving aside the obvious benefits of learning more about a closely related discipline (cross-training for geeks, if you like) there are some highly relevant talks on the agenda:

"Who Should Police the Global Internet?""A Look at Global Encryption Deployment and Usage Trends""Anatomy of a Database Attack Through Forensics Analysis""The Dynamics of e-Crime"

Overall, though, Infosecurity does exactly what it says on the tin and caters first and foremost for corporate security professionals. I'll report back on some of the seminars I manage to see - right now I need to navigate my way to the other side of the hall avoiding as many sales pitches as possible (including those for the 10 minute massage!)

Wednesday, April 01, 2009

A breakthrough in computer forensics technology was announced today when investigators were told they would no longer be required to rely on text-based or simple point and click interfaces, but will instead be able to fully immerse themselves in a virtual investigative environment based around the exploits of fictional TV detectives.

A spokesperson for April Software Solutions (ASS), developers of the new forensic tool, said, "The heart and soul of this new system is the Forensic Object-Oriented Language (F.O.O.L.) which was developed right here in our Peckham laboratory. Instead of scripting in Perl or some other language, the F.O.O.L. system allows the investigator to parse the evidence image and create a fully immersive 3D environment where they play the role of a famous TV detective such as Sherlock Holmes or that bloke from Life on Mars. Items which require investigation - the Windows Registry or browser cache for example - are turned into virtual suspects who can be brought in for interrogation."

ASS says that an expansion pack based around the character of Jack Bauer from 24 will be available in the summer to deal with strong encryption.

Sunday, March 01, 2009

676 people completed the recent Forensic Focus survey and of those a large number included comments and suggestions in addition to answering the 9 questions. The first thing I'd like to do is to thank all respondents for their time and I'd also like to assure everyone that each answer, comment or suggestion has been read carefully - in fact, they've been read a number of times over the past few weeks. In addition, I thought that readers might be interested in the results of the survey (in broad terms, together with my own thoughts) and what those results may mean for the future direction of the site. So without further ado, let's get started:

Q1. What were your main reasons for registering an account at Forensic Focus?

The most common answer was the forums, with the newsletter and downloads section in second place rated almost equally.

Q2. How important for your own needs are the following sections at Forensic Focus?

Unsurprisingly perhaps, given the previous answer, the forums were ranked as very important by most respondents. I was interested to see that papers and articles were the next highest priority. The newsletter and daily news (i.e. homepage news items and RSS feed) ranked just a little below this with training/education links next. Still important but a little less than I had expected were interviews and job vacancies. The remaining options (e.g. events calendar, email group, LinkedIn group and videos) were all rated as somewhat important.

Q3. What computer forensics qualifications or certifications do you hold or intend to pursue?

The results here suggest that a college or university degree at Bachelor's level are the most common qualifications held (with an MSc also quite popular in terms of current uptake and future intentions). Interestingly, the CCE and GCFA qualifications were less well represented than I had expected in terms of those who currently hold these qualifications but this was somewhat balanced by the figures which suggest they're high on the to do list for a lot of people in the next 12 months. What about training from the big 3 forensic software vendors (Guidance Software, Access Data and X-Ways)? Taking Guidance and Access Data first, the overall figures for Guidance were somewhat higher but for each company about half those who responded had taken training already and about half intended to do so in the next 12 months. The total figures for X-Ways were lower, especially as far as those who had already undergone training were concerned, but there was a strong showing in people intending to take X-Ways training over the next 12 months - not as many as those planning to train with Guidance or Access Data but certainly enough to suggest that X-Ways training is attracting a lot of interest.

Q4. How would you rate your current level of knowledge/expertise in the following areas?

As might be expected, collection/imaging, analysis and presentation skills were rated highly. Standards and legislation knowledge was rated as good and forensic laboratory management expertise was rated somewhere between average and good. The only other option, mobile phone forensics knowledge (handset/SIM/cell site analysis) was rated as below average to poor.

Q5. How much would you like to improve your expertise in the following subject areas in the next 12 months?

I think that this question and the next are the most relevant as far as the future of Forensic Focus is concerned. So, what skills are people most interested in developing? The simple answer to that seems to be...all of them! Every option presented received overwhelming support. Now, in a sense, that's not too surprising given the way the question is phrased, it almost goes without saying that any skill is something which people would like to see improved upon. With that said, a detailed look at the figures does reveal some interesting information. Firstly, if I had to pick one answer where the responses were ever so slightly less enthusiastic than the others it would be forensic laboratory management, but keep in mind that the overall desire to improve in this area was still very high. I think most of us would understand and expect this to be the case, I don't think we're at the stage yet where managing a lab is the primary ambition for most people working in the field, the greatest motivation for most practitioners is still probably the investigative process itself rather than higher level management. What else do the figures reveal? There are three main things which stood out: 1) Even though confidence in existing skills is high (see Q4) there's no evidence of over-confidence. On the contrary, continual improvement seems to be the highest priority for nearly all who completed the survey. 2) Enthusiasm for expertise in the areas of standards and legislation is just as high as for more technical matters (imaging, analysis, etc.) I was a little surprised by this, perhaps unfairly I had expected there would be a difference. 3) The desire to improve knowledge of mobile phone forensics was very high, in fact it was second only to computer analysis by just a few percent. In light of the related result for mobile phone forensics in Q4 I think this suggests there's a perceived demand for this skillset. The results for Q8 in relation to mobile forensics seem to confirm this.

Q6. How much would you like to see the following suggestions implemented at Forensic Focus?

This was very revealing and provided the clearest insight yet into what members would like to see at Forensic Focus in 2009. The results basically break down into two categories, those things people very much want to see either added or more of and those which they're still in favour of but to a slightly lesser degree. In the first category (i.e. things people *really* want to see) were reviews, article/papers, standards and online/distance learning. In the second category (i.e. still keen on but slightly less enthusiastically) were interviews, job vacancies/career guidance, research into psychological effects of computer forensics, conferences, competitions and a podcast.

Q7. Which option best describes your current employment situation?

No big surprises. Most respondents work in either law enforcement or as company employees, with consultants and students making up the bulk of the rest of the numbers.

Q8. How often do you examine the following evidence sources as part of your job?

This is another revelaing section. PCs/workstations, laptops/notebooks and USB flash drives/thumb drives were clearly the devices which are most often the subject of examination. Servers were then next on the list. Those devices which were least often examined were network devices (e.g. routers, switches), tape drives, portable entertainment devices (e.g. MP3 players, iPods) and game consoles. So far so unsurprising. What did strike me as interesting though were two figures: 1) PDAs (e.g. Palms, Blackberrys) were rarely or never examined by a significant proportion of respondents (I had expected them to be examined quite often) and 2) Mobile phones were examined somewhere between "sometimes" and "very often" by 45.6% of respondents. This struck me as an unusual figure given the number of people who had previously rated their knowledge of mobile phone examination as very poor but it would explain the high figure of those looking to improve their skills in this area.

Q9. Overall, how satisfied are you with Forensic Focus as a computer forensics resource?

91% of respondents were positively satisfied with Forensic Focus (the largest proportion of responses gave the site a mark of 6 out of a possible 7). 8% were neutral.

Q10. Additional comments or suggestions

A large number of people who completed the survey chose to enter comments in this section. On a personal note, I have to say I was overwhelmed by the number of positive comments left here - thank you all for your kind words, they're greatly appreciated. I was as surprised as I was delighted to hear that many people use Forensic Focus as their main or only channel for staying up to date with computer forensics issues. On a practical note, there were many useful comments and suggestions about what people like (or don't like) about the site and what they'd like to see added or improved. It's difficult to summarize things succinctly, some people wanted to see more of one thing and less of another while others wanted to see the exact opposite, but one theme seemed to be repeated with more frequency than any other and that was a desire for training/educational material built specifically to address real world scenarios.

Summary (or, where do we go from here?)

The first thing which struck me as the results of the survey started to come in was that this really is something I should have done a long time ago, it's a great way of taking the pulse of the membership and responding to their needs. I'm definitely going to make it a yearly event so expect to receive an email from me in about 11 months from now for the next one!

What have I discovered? Firstly, there's a huge appetite for learning - an appetite which doesn't seem to be diminished by any form of complacency, no matter how experienced the individual happens to be. Although the forums are the most popular area of the site this wasn't because people wanted to socialise or network, it was because that's where a lot of questions were answered. Secondly, although the forums are useful there's a desire for more structured learning with many people suggesting that it should be delivered online (as opposed to in a classroom). I think the benefits of online course delivery are clear in many cases but I suspect that because Forensic Focus has a global membership there's a significant proportion of members for whom distance learning is the only real option. Next, reviews (of software, hardware and training), articles/papers and standards are far more important to members than I had previously appreciated. Finally, there's a genuine sense of community and goodwill amongst the membership in relation to the Forensic Focus site and while I'm proud to have been involved in getting us to where we are now I also recognise two very important things - firstly, sincere thanks are due to all members for making the site what it is today and secondly there's a huge responsibility involved in taking us forward, what people learn from Forensic Focus can and most likely will be applied in situations which have the most serious consequences for those involved.

My thanks once again for everyone's participation in the survey - 2009 should be an interesting year!

It's fairly low-tech but does the job, I think. I'm happy to add/remove/move around feeds on this page if there's a sound case for doing so, the only two requirements which spring to mind immediately are that:

1. Feeds should be primarily focused on computer forensics (rather than security or forensics in general)

2. They should be updated frequently

I appreciate most people are probably using their own news readers to keep up to date with these feeds but I think (hope!) it's useful to have a page for browsing here too.

Monday, February 16, 2009

The survey is now closed and I've been spending quite a bit of time over the past few days analyzing the results - results which make interesting reading to say the least!

I'll be giving my take on various issues in the newsletter at the end of the month but in the meantime I'd like to say a huge heartfelt thanks to the nearly 700 people who took the time to complete the survey - every box ticked or comment left will be studied to help make sure that Forensic Focus meets your needs in the future.

Thursday, January 22, 2009

[The following is for non-members or members who have not received the email which went out earlier today]

Over the past six years the Forensic Focus website (http://www.forensicfocus.com) has grown steadily to meet visitors' needs but input from our membership has been fairly informal, with suggestions typically being posted to the forums or sent to me directly. Now that the site is well established, I'd like to take a more rigorous approach to finding out exactly what it is that everyone wants, what aspects of the site they find important, what areas they feel are less useful and what they would like to see added in the future.

With this in mind I have put together a very short survey (10 questions) in an attempt to "take the pulse" of those who use Forensic Focus. I'd also like to make this a regular occurrence, probably at the start of every new year so that I can plan for the coming twelve months and make sure that everyone's needs are met (as far as possible!)

I would be very grateful if you could take the time to complete the survey. There is no need to provide any personal or contact information and I will, of course, treat all information received in the strictest confidence.

The survey, which should take no more than 2 or 3 minutes to complete, can be found here.

Thank you very much in advance, your responses will have a direct influence on the future of Forensic Focus.

Thursday, January 08, 2009

As regular forum members may already be aware, Greg Smith has posted a SIM PIN Challenge in the new Mobile Forensics forum. Full details can be found here.

I think this is a great opportunity for anyone who wants to start learning more about the technical challenges of mobile phone forensics. It's also an opportunity to learn from a world-renowned expert in this field.

For those who are unfamiliar with this side of forensics work and don't know Greg, I hope to be able to interview him in the very near future and bring that to you. In the meantime, good luck with the challenge!

Friday, January 02, 2009

Happy New Year, everyone, I hope those hangovers are starting to wear off!

2008 was a good year for Forensic Focus with solid growth in visitor numbers and a significant increase in those registering new accounts (presumably to allow posting to the forums or subscription to the newsletter) towards the end of the year.

There won't be any resting on our laurels for 2009, though, and there are already one or two additions to the site in the pipeline (in fact, a few have been implemented already without much fanfare - more about those in a later post). In addition, I'd like to stress that Forensic Focus remains very much a community effort - if there's something you want to see, or something you're not happy with, by all means let me know. I can't promise to accommodate every request but I'll try my best!

To all our members and everyone else in the wider computer forensics world, all the very best for 2009!